SharePoint 0-Day Attacks: Critical Exploitation in Progress
A critical zero-day vulnerability in Microsoft SharePoint Server is currently under active exploitation by attackers worldwide, with security experts describing it as one of the most severe SharePoint vulnerabilities in recent years. The attacks began around July 18, 2025, and have already compromised dozens of servers globally.
The Critical Vulnerability: CVE-2025-53770
CVE-2025-53770 is a remote code execution (RCE) vulnerability rated 9.8/10 on the CVSS scale, affecting on-premises SharePoint installations. The flaw is caused due by SharePoint's unsafe deserialization of untrusted data, allowing unauthorized attackers to execute code over a network without any user interaction required.Affected Systems
The vulnerability impacts:- Microsoft SharePoint Server 2019
- Microsoft SharePoint Enterprise Server 2016
- Microsoft SharePoint Server Subscription Edition
Importantly, SharePoint Online in Microsoft 365 is not affected by these attacks.
Active Exploitation and Attack Methods
Security researchers have identified a sophisticated attack campaign exploiting this zero-day vulnerability. Unlike typical web shell attacks, attackers are deploying a stealthy payload called spinstall0.aspx designed specifically to extract cryptographic secrets from SharePoint servers.Attack Timeline and Scale
- July 18, 2025: Initial wave of attacks detected around 18:00 CET
- July 19, 2025: Second wave around 07:30 CET
- Dozens of servers have been confirmed compromised using identical payloads
The attacks target internet-facing SharePoint servers to:
- Install backdoors for persistent access
- Extract SharePoint server MachineKey configurations including ValidationKey and DecryptionKey
- Enable full system takeover capabilities
Relationship to Other Vulnerabilities
CVE-2025-53770 is a variant of CVE-2025-49706, which Microsoft attempted to patch in their July 2025 security update. However, the patches were incomplete, leading to this more dangerous zero-day exploitation. The vulnerability is also connected to:
- CVE-2025-49706: Authentication bypass vulnerability (CVSS 6.3)
- CVE-2025-53771: Path traversal flaw
- CVE-2025-49704: Code injection vulnerability
These vulnerabilities can be chained together in what researchers call the "ToolShell" attack.
Current Patch Status
No patch is currently available for CVE-2025-53770. Microsoft has released security updates for some related vulnerabilities:
| Product | Security Update Available | Status |
|---|---|---|
| SharePoint Subscription Edition | Yes (KB5002768) | Addresses CVE-2025-53771 which mitigates CVE-2025-53770 |
| SharePoint 2019 | Yes (KB5002754) | Limited protection |
| SharePoint 2016 | No | Update pending |
Click here for more info.
Mitigation Measures
Microsoft recommends immediate implementation of the following protections:Essential Steps
- Enable AMSI Integration: Configure Antimalware Scan Interface (AMSI) in SharePoint with Full Mode for optimal protection
- Deploy Defender Antivirus on all SharePoint servers
- Disconnect from Internet: If AMSI cannot be enabled, remove internet access from SharePoint servers
- Rotate ASP.NET Machine Keys: Critical step after applying security updates
- Deploy Microsoft Defender for Endpoint or equivalent threat detection solutions
Detection and Monitoring
Organizations should monitor for specific indicators of compromise:- Suspicious IIS worker process behavior
- POST requests to /_layouts/15/ToolPane.aspx?DisplayMode=Edit
- Scanning from IP addresses: 107.191.58.76, 104.238.159.149, and 96.9.125.147
Government and Security Agency Response
Multiple government agencies have issued urgent warnings:- CISA added CVE-2025-53770 to its Known Exploited Vulnerabilities catalog and mandated federal agencies apply mitigations by July 21, 2025
- Canadian Centre for Cyber Security confirmed exploitation occurring in Canada
- FBI acknowledged awareness of the attacks and stated they are working with federal and private sector partners
- Australian Cyber Security Centre issued advisories for affected organizations
The severity of this attack campaign underscores the critical importance of maintaining updated security configurations and having robust incident response plans for zero-day exploitations targeting enterprise infrastructure.
Never Miss a Blog
It's free! Get notified instantly whenever a new post drops. Stay updated, stay ahead.
Related Posts
Introducing GPT-4.5: OpenAI's Latest Leap in AI Language Models
Explore OpenAI's GPT-4.5, a groundbreaking AI language model with unmatched scale, refined features, and top-tier performance. Discover its API pricing, benchmarks, and how it compares to GPT-4, GPT-4o, o3-mini, and DeepSeek.
28 Feb 2025
How to Make OpenAI API Calls in Your JavaScript Application
Step-by-step guide to making OpenAI API calls in your JavaScript app using the openai-api-helper npm package. Learn how to integrate OpenAI's capabilities into your project with ease.
22 Jul 2024
AI in Cybersecurity: The Complete Guide to Modern Digital Defense (2025)
Master the intersection of AI and cybersecurity with this comprehensive guide. Learn how artificial intelligence is transforming threat detection, response automation, and digital defense strategies. Includes real-world examples, code samples, and expert insights.
11 Apr 2025